refactor: migrate Tool Permissions from Settings to /settings/tools

- Remove Tool Permissions form from settings.html; replace with a "Tool Settings →" link that redirects to /settings/tools - Add Confirmation Gate section to tools_settings.html (allow/deny textareas) inside the same form as risk policy — one save covers all - tools_settings.py save handler now writes allow/deny alongside max_risk/whitelist/blacklist into tool_policy.json - Remove /settings/tool-policy POST route from settings.py (no longer needed) - Remove get_tool_policy, save_tool_policy, CONFIRM_REQUIRED imports from settings.py (now owned by tools_settings.py) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-11 22:50:48 -04:00
parent 69ec2f667d
commit 8ab1942514
4 changed files with 56 additions and 60 deletions
--- a/cortex/static/settings.html
+++ b/cortex/static/settings.html
@@ -379,33 +379,18 @@
      </a>
    </div>

-    <!-- Tool Permissions -->
+    <!-- Tool Permissions → moved to /settings/tools -->
    <div class="section">
      <h2>Tool Permissions</h2>
-      <p style="font-size:0.8rem; color:var(--pg-muted); margin-bottom:0.5rem; line-height:1.55;">
-        Override the default confirmation gate for orchestrator tools.
-        <strong>Allow list</strong> — tools that run without asking for confirmation.
-        <strong>Deny list</strong> — tools that are always blocked for your account.
-        One tool name per line.
+      <p style="font-size:0.85rem; color:var(--pg-muted); margin-bottom:1rem; line-height:1.55;">
+        Configure tool access, risk policy, and confirmation gate overrides on the Tools page.
      </p>
-      <p style="font-size:0.78rem; color:var(--pg-muted); margin-bottom:0.85rem;">
-        Tools requiring confirmation by default: <code>{{ confirm_required_tools }}</code>
-      </p>
-      <form method="POST" action="/settings/tool-policy">
-        <div class="form-group">
-          <label for="allow_list">Allow list (bypass confirmation)</label>
-          <textarea id="allow_list" name="allow_list" rows="3"
-                    placeholder="reminders_clear&#10;cron_remove"
-                    autocomplete="off" spellcheck="false">{{ tool_allow }}</textarea>
-        </div>
-        <div class="form-group">
-          <label for="deny_list">Deny list (always block)</label>
-          <textarea id="deny_list" name="deny_list" rows="3"
-                    placeholder="shell_exec&#10;file_write"
-                    autocomplete="off" spellcheck="false">{{ tool_deny }}</textarea>
-        </div>
-        <button type="submit">Save tool permissions</button>
-      </form>
+      <a href="/settings/tools"
+         style="display:inline-block; padding:0.45rem 1.1rem; background:var(--pg-accent,#7c3aed);
+                color:#fff; border-radius:0.5rem; font-size:0.875rem; font-weight:600;
+                text-decoration:none;">
+        Tool Settings →
+      </a>
    </div>

    <!-- Browser cache -->
--- a/cortex/static/tools_settings.html
+++ b/cortex/static/tools_settings.html
@@ -191,6 +191,41 @@
    <!-- ── Tool table ── -->
 {{ tool_table_html }}

+    <!-- ── Confirmation gate ── -->
+    <div class="policy-card" style="margin-top:1.75rem;">
+      <h2>Confirmation Gate</h2>
+      <p class="policy-note" style="margin-bottom:0.85rem;">
+        Some tools require explicit confirmation before executing. Override the defaults here.<br>
+        Tools requiring confirmation by default: <code style="font-size:0.78rem;">{{ confirm_required_tools }}</code>
+      </p>
+      <div class="policy-row" style="align-items:flex-start; gap:1.5rem; flex-wrap:wrap;">
+        <div style="flex:1; min-width:200px;">
+          <label style="display:block; font-size:0.8rem; font-weight:600; margin-bottom:0.35rem;">
+            Allow list — bypass confirmation
+          </label>
+          <textarea name="allow_list" rows="4"
+                    placeholder="reminders_clear&#10;cron_remove"
+                    autocomplete="off" spellcheck="false"
+                    style="width:100%; background:var(--pg-bg); border:1px solid var(--pg-border);
+                           border-radius:0.375rem; color:var(--pg-text); padding:0.45rem 0.65rem;
+                           font-size:0.82rem; font-family:monospace; resize:vertical;">{{ tool_allow }}</textarea>
+          <p class="policy-note">One tool name per line. These tools skip the confirmation prompt.</p>
+        </div>
+        <div style="flex:1; min-width:200px;">
+          <label style="display:block; font-size:0.8rem; font-weight:600; margin-bottom:0.35rem;">
+            Deny list — always block
+          </label>
+          <textarea name="deny_list" rows="4"
+                    placeholder="shell_exec&#10;file_write"
+                    autocomplete="off" spellcheck="false"
+                    style="width:100%; background:var(--pg-bg); border:1px solid var(--pg-border);
+                           border-radius:0.375rem; color:var(--pg-text); padding:0.45rem 0.65rem;
+                           font-size:0.82rem; font-family:monospace; resize:vertical;">{{ tool_deny }}</textarea>
+          <p class="policy-note">These tools are always blocked regardless of risk policy.</p>
+        </div>
+      </div>
+    </div>
+
    <div style="margin-top:1.5rem;">
      <button type="submit" class="save-btn">Save tool settings</button>
    </div>